To produce a cross-account function in Terraform, you require to carry out the following actions:
1. Specify the IAM function
Specify the IAM function in the Terraform setup
resource "aws_iam_role" "cross_account_role" {
name="CrossAccountRole".
assume_role_policy = <<< < EOF.
{
" Variation": "2012-10-17",.
" Declaration":[
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<ACCOUNT_ID>:root"
},
"Action": "sts:AssumeRole"
}
]
}
EOF.
}
In the assume_role_policy area, change << ACCOUNT_ID>> with the AWS account ID of the target account that will presume this function.
2. Connect the essential policies
Connect the essential policies to the function. Policies specify the approvals approved to the function
resource "aws_iam_role_policy_attachment" "cross_account_role_attachment" {
function = aws_iam_role. cross_account_role. name.
policy_arn="arn: aws: iam:: aws: policy/AmazonS3ReadOnlyAccess" # Example policy.
}
Change " arn: aws: iam:: aws: policy/AmazonS3ReadOnlyAccess" with the ARN of the policy you wish to connect to the function.
3. Produce a function trust relationship
Produce a function trust relationship in the target AWS account to permit the cross-account gain access to. This action is carried out beyond Terraform. You require to visit to the target AWS account and produce a function trust policy for the function developed in the previous actions.
Here's an example of the trust policy in JSON format:
{
" Variation": "2012-10-17",.
" Declaration":[
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<SOURCE_ACCOUNT_ID>:root"
},
"Action": "sts:AssumeRole"
}
]
}
Change << SOURCE_ACCOUNT_ID>> with the AWS account ID where the function is developed.
4. Utilize the developed cross-account function
Utilize the developed cross-account function in other resources by defining the ARN of the function:
resource "aws_s3_bucket" "example_bucket" {
pail="example-bucket".
# Define the ARN of the cross-account function.
role_arn = aws_iam_role. cross_account_role. arn.
}
Keep in mind to perform terraform init, terraform strategy, and terraform use to initialize the Terraform setup, prepare the modifications, and use them to produce the cross-account function.
5. What you need to perform in the target account
In addition to developing the IAM function in the source account utilizing Terraform, you likewise require to carry out the following actions in the target account to develop the cross-account gain access to:
- Log in to the AWS Management Console of the target account.
- Browse to the IAM service.
- Produce a brand-new IAM function that will presume the cross-account function.
- Connect a trust policy to the recently developed function to permit the source account to presume this function.
- Click "Trust relationships" for the function.
- Click "Modify trust relationship."
- Define the trust policy file with the essential approvals. Here's an example of the trust policy in JSON format:
{
" Variation": "2012-10-17",.
" Declaration":[
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<SOURCE_ACCOUNT_ID>:root"
},
"Action": "sts:AssumeRole"
}
]
}
Change << SOURCE_ACCOUNT_ID>> with the AWS account ID where the cross-account function is developed.
- Click "Update Trust Policy" to conserve the modifications.
- Once the trust policy is established, you can utilize the ARN of the cross-account function in the source account to approve the essential approvals to resources in the target account.
By setting up the trust policy in the target account, you permit the defined function in the source account to presume the cross-account function and gain access to resources in the target account.